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Abstract 

To remove key escrow problem and avoid the need of secure channel in ID based cryptosystem 
Lee et al.[l] proposed a secure key issuing protocol. However we show that it suffers from imper- 
sonation, insider attacks and incompetency of the key privacy authorities. We also cryptanalyze 
Sui et al.'s[2] separable and anonymous key issuing protocol. 

1 Review of Lee et al.'s Protocol [1] 

It includes five stages namely, System Setup, System Public Key Setup, Key Issuing, Key Securing 
and Key Retrieving. 

1.1 System Setup 

The KGC specifies two cyclic groups G\ , G*2 of prime order q where G\ is additive and C?2 is multi- 
plicative groups. It also defines a bilinear mapping as e : G\ x G\ — > G2 between Gi,G2 and hash 
functions H : {0, 1}* — > G\, h : G 2 — > Z*. Let P £ G\ be an arbitrary generator of G\. The KGC 
selects a master key sq € Z* at random and computes its pubic key Pq = sqP. 



1.2 System Public Key Setup 

The n KPAs establish their key pairs. KPAi chooses his master key Si and computes his public 
key Pi = SiP,Mi = l,...,n. Then all KPAs cooperate sequentially and computes Y!=SiYi—\ where 
YJ = P = s P. 

Finally, Y = Y r [ — SQ.si...s n P is published as system public key. This sequential process can be 
verified by e{Y', P) = e{Y!_ x ,Pi). 



1.3 Key Issuing 

A user with ID chooses a random secret x, computes a blinding factor X — xP and requests the 
KGC to issue a partial private key by sending X, ID. Then the KGC issues a blinded partial private 
key as follows. 

1 . Checks the identification and computes the public key of the user as 
Qid = H(ID, KGC, KPA U KPA n ), 



2. Computes a blinded partial private key as Q' = h(e(saX, Pq))sqQid- 



3. Computes KGC's signature on Q' as SigoiQ'o) = s oQo- 

4. Sends Q' and Sigo(Q' ) to the user. 

The user can unblind Q' Q using his knowledge of x, since 
h(e(s X,P ))=h(e(s xP,P )) = h(e(P Q , P ) x ). 

1.4 Key Securing 

The user requests KPAi(i — 1, ...,n) sequentially to provide key privacy service by sending ID, X, 
Q' i _ 1 and Sigi^i(Q' i _ 1 ). Then KPAi performs following steps 

1. Checks e(S'i ffi _i(Q<_ 1 )>- p ) = e(QU>^-i)- 

2. Computes Q\ = h{e{s i X,P i ))s i Q' i _- l and Sig^Q^ = SiQ'A. 

3. Sends Q- and Sig^Q'A to the user. 

This process is carried out up to KPA n . Finally user receives Q' n . 

1.5 Key Retrieving 

The user retrieves his private key Sid by unblinding Q' n as follows. 

Q'n 

Sl ° = h(e(P ,P )*)h(e(P 1 ,P 1 )*)...h(e(P n ,P n ) x ) = S ° Sl - SnQlD 
The user can verify the correctness of his private key by e(SiD,P) = e(QiD,Y). 

2 Cryptanalysis of Lee et al.'s Protocol 

2.1 Impersonation Attack 

In Key Issuing phase, user sends X — xP and ID to the KGC. Any active adversary can modify the 
X as X* = x*P and still it cannot be detected by KGC. Because there is no binding between the ID 
and X. Then KGC computes partial private key Qq = h(e(s X* , P ))s Qi D , and sends to the user 
through public channel. Adversary can eavesdrop Qq and request the KPAs for key privacy service. 
At the end Adversary can extract the private key by unblinding Q* . 

2.2 Insider Attack 

In Key Securing phase, user requests KPAi to provide key privacy service by sending ID, X, Q' i _ 1 , 
Sigi-i(Q' i _ 1 ), where fourth parameter is a signature of KPA^i on third parameter. 

If KPAi-i wants a signature of KPAi on to, he sends ID* , X* = x*P, Q*_ x = rH(m) and 
Sig i -i(Q*_ 1 ) = rSi_iH(m) to KPAi where r e R Z*. Then KPAi performs the following steps 

1. Checks e(Si ffi _i(QJ_ 1 ),P) = eiQ^Pi-t). 

2. Computes Q* = h(e(siX* , P l ))s i Q*_ 1 and Sigi{Q*) = s t Q*. 

3. Sends Q* and Sigi(Q*) to the user(i.e. KPAi-i). 

Now, KPAi-i has Q* = h(e(siX* , Pi))sirH(m) and he can extract the signature of KPAi on to 
as h(e(Pi, Pi) x )~ 1 r~ 1 Q* = SjiJ(m). At the same time KPAi cannot get signature of the KPA^x 
(i.e. Si-\H(m)), because KPA^i sends his signature in blinded manner. Thus, KPAi_\ can obtain 
KPAiS signature on any message of his choice. 



2.3 Incompetency of KPAs 



In Key Securing Phase, the user requests KPAi(i = 1,2, ...,n) sequentially to provide key privacy 
service by sending ID, X, Q' i _ 1 , and Sigi-i(Q' i _ 1 ) . Then KPAi validates the received parameters 
by checking the equality 
e{Sig i - 1 {Q' i _ 1 ),P)=e{Q' i _ 1 ,P i _ l ). 

Any active adversary can alter Q^_ 1; Sig i ^i(Q' i _ 1 ) and replaces with the following Q*_ 1 = r*Q' i _ 1 , 
Sig i _ 1 (Q*_ 1 ) = r*Sig i _ 1 (Q' i _ 1 ). Then KPAi performs 

1. Checks e(Sig^ 1 (Q*_ l ),P) = e(g*_ 1 ,P i _ 1 ) 

2. Computes Q* = h{e{s i X,P i ))s i Q' i _ 1 and Sig t (Q*) = SiQ* 

3. Sends Q*, and Sigi(Q*) to the user. 

It may be noted that the user is not checking the correctness of the received parameters in inter- 
mediate stages. Therefore any modification by an Adversary during the communication between user 
and KPAi will be undetected till the end of Key Securing Phase. This requires the user to execute 
this phase again from the beginning. Further, as the KGC and KPAs are not capable of checking the 
validity of the received parameters, they are signing them blindly. 

The attack given in Section 2.1 can also be applied to [3]. 

3 Review of Sui et al. [2] 

A one time password pwd can be established between the Local Registration Authority(LRA) and 
the user after the off-line authentication. 

Setup(run by KGC): It takes the security parameter k and returns params (System Parameters) 
and the master-key. Let G be a GDH group of prime order p. Public information is Isaki = 
(G, p, H, Ppkg)- P is a generator of G and H : 0, 1* — > G is a oneway hash function and Qa = H(id,A)- 
Ppkg = sP is the system public key. 

Key Generation: It takes inputs as params, master-key, and an arbitrary ID G {0, 1}*; and returns 
a private key Sid- The password pwd is user's chosen password during off- line authentication and 
the tuple (ID, pwd) is stored in KGC's database of "pending private key". 

1. A:selects a random number r, A — > KGC : Q = rH(ID),T = r~ 1 H(pwd). 

2. KGC: checks the validity of the request by checking whether e(Q, T) = e(H(ID), H(pwd)) holds 
for a certain tuple in KGC's database. 

3. KGC: computes sQ, KGC -> A : S = sQ 

4. A: verifies the blinded private key by checking e(S,P) — e(Q, Ppkg)- If it holds, A unblinds 
the encrypted private key and obtains sH(ID). 

The user can delete pwd after obtaining the private key. The KGC can also remove the tuple (ID, pwd) 
from the database after the protocol. 

4 Cryptanalysis of Sui et al. Protocol 

4.1 Stolen Verifier Attack 

In Sui et al. protocol, (ID, password) is stored in KGC's database. If an Adversary steals the 
database he can have genuine users' secrets on requesting the KGC on behalf of any registered user 
available in database. Though the KGC stores (ID, password) for a short-time till the corresponding 
secret key is issued, it affects the protocol entirely. 



4.2 Insider Attack 



In practice, it is likely that a user uses same password to access several systems and other purposes 
for his convenience. In the registration phase, the user gives his password pwd to LRA and the LRA 
stores the ID and corresponding password in the database. In the extended scheme given to remove 
the key escrow by single KGC, the database is accessible by multiple KGC's and LRA. Any one of 
the insider of the system could impersonate user's login on stealing password and can get access of 
the other systems. 

4.3 Incompetency of KGCs 

A user requests for private key as follows: 

• Selects a random number r, and computes Q — rH(ID),T — r H (password) and sends to 
the KGC. 

• KGC checks the validity of the request by checking the equality 
e(Q,T) = e(H (I D),H (password)). 

• Computes blinded private key S = sQ and sends to the user where s is the KGC's private key. 

• Then user verifies S by checking the equality e(S, P) = e(Q, P pu b) where P pu b = sP is KGC's 
public key. 

Any Adversary can alter the parameters Q, T and replace with Q* = r*Q, T* = r* T and KGC 
verifies the equality e(Q*,T*) = e(H (I D), H (password)). Then the KGC computes S* = sQ* and 
sends to the user. In this protocol the KGC cannot check the validity of the parameters received and 
thus blindly signs on it. 

5 Conclusion 

In this work we have cryptanalyzed two ID based key issuing protocols of [1, 2]. We showed that the 
Lee et al. [1] protocol suffers from impersonation, insider attacks and incompetency of the key privacy 
authorities. We also showed that the Sui et al.'s[2] separable and anonymous key issuing protocol 
suffers from stolen verifier, insider attacks and incompetency of key generation centers. 
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